Added the provision to store last acctivity on the database

nagibmahfuj · nagibmahfuj · commit 11d9c40bf119 · 2025-11-13T18:00:20.000+06:00
diff --git a/README.md b/README.md
@@ -74,10 +74,11 @@ This will create a `config/security-policies.php` file with default values. You
 
 ### Session
 
-| Key                            | Type                | Default | Description                                  |
-| ------------------------------ | ------------------- | ------- | -------------------------------------------- |
-| `session.idle_timeout_minutes` | integer             | `30`    | Minutes of inactivity before forcing logout. |
-| `session.redirect_on_idle_to`  | string (route name) | `login` | Route to redirect to after idle timeout.     |
+| Key                            | Type                | Default   | Description                                                     |
+| ------------------------------ | ------------------- | --------- | --------------------------------------------------------------- |
+| `session.idle_timeout_minutes` | integer             | `30`      | Minutes of inactivity before forcing logout.                    |
+| `session.redirect_on_idle_to`  | string (route name) | `login`   | Route to redirect to after idle timeout.                        |
+| `session.last_activity_store`  | string              | `session` | Where to store last activity timestamp: 'session' or 'database' |
 
 ### MFA
 
@@ -105,25 +106,26 @@ This will create a `config/security-policies.php` file with default values. You
 
 ### Password
 
-| Key                               | Type                | Default            | Description                                                                                       |
-| --------------------------------- | ------------------- | ------------------ | ------------------------------------------------------------------------------------------------- |
-| `password.min_length`             | integer             | `12`               | Minimum password length.                                                                          |
-| `password.min_digits`             | integer             | `1`                | Minimum digits required.                                                                          |
-| `password.min_symbols`            | integer             | `1`                | Minimum symbols required.                                                                         |
-| `password.min_lowercase`          | integer             | `1`                | Minimum lowercase letters required.                                                               |
-| `password.min_uppercase`          | integer             | `1`                | Minimum uppercase letters required.                                                               |
+| Key                               | Type                | Default                            | Description                                                                                       |
+| --------------------------------- | ------------------- | ---------------------------------- | ------------------------------------------------------------------------------------------------- |
+| `password.min_length`             | integer             | `12`                               | Minimum password length.                                                                          |
+| `password.min_digits`             | integer             | `1`                                | Minimum digits required.                                                                          |
+| `password.min_symbols`            | integer             | `1`                                | Minimum symbols required.                                                                         |
+| `password.min_lowercase`          | integer             | `1`                                | Minimum lowercase letters required.                                                               |
+| `password.min_uppercase`          | integer             | `1`                                | Minimum uppercase letters required.                                                               |
 | `password.allowed_symbols`        | string              | `!@#$%^&*()_+-={}[]:;'"<>,.?/\\|~` | Allowed symbol set counted by StrongPassword and used to reject disallowed characters.            |
-| `password.expire_days`            | integer             | `90`               | Force password change after X days.                                                               |
-| `password.history`                | integer             | `5`                | Disallow reuse of last X passwords.                                                               |
-| `password.require_history`        | bool                | `false`            | If true, user must have at least one password history entry; otherwise redirected to change page. |
-| `password.redirect_on_expired_to` | string (route name) | `password.request` | Route to redirect to when password is expired or when history is required but missing.            |
+| `password.expire_days`            | integer             | `90`                               | Force password change after X days.                                                               |
+| `password.history`                | integer             | `5`                                | Disallow reuse of last X passwords.                                                               |
+| `password.require_history`        | bool                | `false`                            | If true, user must have at least one password history entry; otherwise redirected to change page. |
+| `password.redirect_on_expired_to` | string (route name) | `password.request`                 | Route to redirect to when password is expired or when history is required but missing.            |
 
 ### User Columns
 
-| Key                                | Type   | Default               | Description                                                   |
-| ---------------------------------- | ------ | --------------------- | ------------------------------------------------------------- |
-| `user_columns.last_mfa_at`         | string | `last_mfa_at`         | User model column that stores when MFA was last completed.    |
-| `user_columns.password_changed_at` | string | `password_changed_at` | User model column that stores when password was last changed. |
+| Key                                | Type   | Default               | Description                                                                            |
+| ---------------------------------- | ------ | --------------------- | -------------------------------------------------------------------------------------- |
+| `user_columns.last_mfa_at`         | string | `last_mfa_at`         | User model column that stores when MFA was last completed.                             |
+| `user_columns.password_changed_at` | string | `password_changed_at` | User model column that stores when password was last changed.                          |
+| `user_columns.last_activity_at`    | string | `last_active_at`      | User model column that stores the last activity timestamp when using database storage. |
 
 Publish migrations:
 
@@ -205,9 +207,25 @@ php artisan vendor:publish --provider="NagibMahfuj\LaravelSecurityPolicies\Larav
 - `password_histories`: user_id, password_hash, timestamps
 - `mfa_challenges`: user_id, code, expires_at, consumed_at, attempts, timestamps
 - `trusted_devices`: user_id, device_fingerprint, user_agent, ip_hash, verified_at, last_seen_at, timestamps
-- Alters `users` table (defaults): `last_mfa_at`, `password_changed_at`
+- Alters `users` table (defaults): `last_mfa_at`, `password_changed_at`, `last_active_at`
   - You may rename these columns in your own migrations and set the names via `user_columns.*` in the config.
 
+### Enabling Database Storage for Last Activity
+
+To use database storage for last activity tracking:
+
+1. Ensure your `users` table has a timestamp column for last activity (default: `last_active_at`). The published migration will add this if needed.
+2. Set the following in `config/security-policies.php`:
+   ```php
+   'session' => [
+       'last_activity_store' => 'database', // or 'session' for the default behavior
+   ],
+   'user_columns' => [
+       'last_activity_at' => 'last_active_at', // customize column name if needed
+   ],
+   ```
+3. The middleware will now track last activity in the database instead of the session.
+
 ## Events & Listeners
 
 - Listens to `Illuminate\Auth\Events\PasswordReset`
diff --git a/config/security-policies.php b/config/security-policies.php
@@ -4,6 +4,7 @@
 	'session' => [
 		'idle_timeout_minutes' => 30,
 		'redirect_on_idle_to'  => 'login',
+		'last_activity_store'  => 'session',
 	],
 	'mfa' => [
 		'enabled'                  => true,
@@ -32,5 +33,6 @@
 	'user_columns' => [
 		'last_mfa_at'         => 'last_mfa_at',
 		'password_changed_at' => 'password_changed_at',
+		'last_activity_at'    => 'last_active_at',
 	],
 ];
diff --git a/database/migrations/2025_11_10_000004_add_security_fields_to_users_table.php b/database/migrations/2025_11_10_000004_add_security_fields_to_users_table.php
@@ -1,42 +1,52 @@
 <?php
 
-use Illuminate\Database\Migrations\Migration;
-use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
 
 return new class extends Migration {
-    public function up(): void
-    {
-        $lastMfaCol = config('security-policies.user_columns.last_mfa_at', 'last_mfa_at');
-        $pwdChangedCol = config('security-policies.user_columns.password_changed_at', 'password_changed_at');
+	public function up(): void
+	{
+		$lastMfaCol      = config('security-policies.user_columns.last_mfa_at', 'last_mfa_at');
+		$pwdChangedCol   = config('security-policies.user_columns.password_changed_at', 'password_changed_at');
+		$lastActivityCol = config('security-policies.user_columns.last_activity_at', 'last_active_at');
+
+		Schema::table('users', function (Blueprint $table) use ($lastMfaCol, $pwdChangedCol, $lastActivityCol) {
+			if (!Schema::hasColumn('users', $lastMfaCol)) {
+				$table->timestamp($lastMfaCol)->nullable()->after('remember_token');
+			}
+			if (!Schema::hasColumn('users', $pwdChangedCol)) {
+				// place after last MFA column when possible
+				$afterCol = Schema::hasColumn('users', $lastMfaCol) ? $lastMfaCol : 'remember_token';
+				$table->timestamp($pwdChangedCol)->nullable()->after($afterCol);
+			}
+			if (!Schema::hasColumn('users', $lastActivityCol)) {
+				$afterCol2 = Schema::hasColumn('users', $pwdChangedCol) ? $pwdChangedCol : (Schema::hasColumn('users', $lastMfaCol) ? $lastMfaCol : 'remember_token');
+				$table->timestamp($lastActivityCol)->nullable()->after($afterCol2);
+			}
+		});
+	}
 
-        Schema::table('users', function (Blueprint $table) use ($lastMfaCol, $pwdChangedCol) {
-            if (!Schema::hasColumn('users', $lastMfaCol)) {
-                $table->timestamp($lastMfaCol)->nullable()->after('remember_token');
-            }
-            if (!Schema::hasColumn('users', $pwdChangedCol)) {
-                // place after last MFA column when possible
-                $afterCol = Schema::hasColumn('users', $lastMfaCol) ? $lastMfaCol : 'remember_token';
-                $table->timestamp($pwdChangedCol)->nullable()->after($afterCol);
-            }
-        });
-    }
-    public function down(): void
-    {
-        $lastMfaCol = config('security-policies.user_columns.last_mfa_at', 'last_mfa_at');
-        $pwdChangedCol = config('security-policies.user_columns.password_changed_at', 'password_changed_at');
+	public function down(): void
+	{
+		$lastMfaCol      = config('security-policies.user_columns.last_mfa_at', 'last_mfa_at');
+		$pwdChangedCol   = config('security-policies.user_columns.password_changed_at', 'password_changed_at');
+		$lastActivityCol = config('security-policies.user_columns.last_activity_at', 'last_active_at');
 
-        Schema::table('users', function (Blueprint $table) use ($lastMfaCol, $pwdChangedCol) {
-            $drops = [];
-            if (Schema::hasColumn('users', $lastMfaCol)) {
-                $drops[] = $lastMfaCol;
-            }
-            if (Schema::hasColumn('users', $pwdChangedCol)) {
-                $drops[] = $pwdChangedCol;
-            }
-            if (!empty($drops)) {
-                $table->dropColumn($drops);
-            }
-        });
-    }
+		Schema::table('users', function (Blueprint $table) use ($lastMfaCol, $pwdChangedCol, $lastActivityCol) {
+			$drops = [];
+			if (Schema::hasColumn('users', $lastMfaCol)) {
+				$drops[] = $lastMfaCol;
+			}
+			if (Schema::hasColumn('users', $pwdChangedCol)) {
+				$drops[] = $pwdChangedCol;
+			}
+			if (Schema::hasColumn('users', $lastActivityCol)) {
+				$drops[] = $lastActivityCol;
+			}
+			if (!empty($drops)) {
+				$table->dropColumn($drops);
+			}
+		});
+	}
 };
diff --git a/src/Http/Middleware/IdleTimeoutMiddleware.php b/src/Http/Middleware/IdleTimeoutMiddleware.php
@@ -4,6 +4,7 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Auth;
 
 class IdleTimeoutMiddleware
@@ -12,14 +13,38 @@ public function handle(Request $request, Closure $next)
 	{
 		$timeout = (int) config('security-policies.session.idle_timeout_minutes', 30);
 		if ($timeout > 0 && Auth::check()) {
-			$last = (int) $request->session()->get('last_activity_ts', time());
-			if ((time() - $last) > ($timeout * 60)) {
-				Auth::logout();
-				$request->session()->invalidate();
-				$request->session()->regenerateToken();
-				return redirect()->route(config('security-policies.session.redirect_on_idle_to', 'login'))->with('error', 'You have been logged out due to inactivity.');
+			$store = (string) config('security-policies.session.last_activity_store', 'session');
+			$nowTs = time();
+
+			if ($store === 'database') {
+				$user   = Auth::user();
+				$col    = config('security-policies.user_columns.last_activity_at', 'last_active_at');
+				$lastAt = $user->{$col} ?? null;
+				$lastTs = $lastAt ? Carbon::parse($lastAt)->timestamp : $nowTs;
+
+				if (($nowTs - $lastTs) > ($timeout * 60)) {
+					Auth::logout();
+					$request->session()->invalidate();
+					$request->session()->regenerateToken();
+					return redirect()->route(config('security-policies.session.redirect_on_idle_to', 'login'))
+						->with('error', 'You have been logged out due to inactivity.');
+				}
+
+				// Throttle DB writes to at most once per minute
+				if (($nowTs - $lastTs) >= 60) {
+					$user->forceFill([$col => Carbon::now()])->save();
+				}
+			} else {
+				$last = (int) $request->session()->get('last_activity_ts', $nowTs);
+				if (($nowTs - $last) > ($timeout * 60)) {
+					Auth::logout();
+					$request->session()->invalidate();
+					$request->session()->regenerateToken();
+					return redirect()->route(config('security-policies.session.redirect_on_idle_to', 'login'))
+						->with('error', 'You have been logged out due to inactivity.');
+				}
+				$request->session()->put('last_activity_ts', $nowTs);
 			}
-			$request->session()->put('last_activity_ts', time());
 		}
 		return $next($request);
 	}
